A shallow question, but I am not familiar with aws. how do you allow access to your aws resource from your desktop application? that is, I would have assumed you would need to embed some sort of aws key.
If you're a developer, needing access to AWS resources - then you install credentials on your machine.
Ideally you use some form of short lived credentials, provided by say AWS SSO.
Generally if you're shipping an application, you don't give them credentials to access to your AWS Resources directly.
For instance, perhaps you want to allow someone to download a file from S3 - well you would provide some form of private API that would generate a pre-signed AWS S3 Uri. In that pre-signed Uri, there's an explicit expiry time.
Most other things, you would probably stand up an API to handle interacting with your AWS resources on behalf of a customer.
One instance I saw was someone that built some agent-endpoint software that streamed logs direct to AWS Kinesis.
Their desktop application would periodically request AWS Keys from their API which were only valid for some short period of time, and scoped to writing to a specific Kinesis endpoint.
8 comments
[ 40.2 ms ] story [ 734 ms ] threadHowever there are thousands of inactive and revoked keys, so it's more accurate to say "I found only 57 that where not yet revoked by their authors".
(I guess the hacker can also just watch every 5 mins instead of every 30 mins...)
https://docs.aws.amazon.com/cli/latest/userguide/cli-configu...
If you're a developer, needing access to AWS resources - then you install credentials on your machine. Ideally you use some form of short lived credentials, provided by say AWS SSO.
Generally if you're shipping an application, you don't give them credentials to access to your AWS Resources directly.
For instance, perhaps you want to allow someone to download a file from S3 - well you would provide some form of private API that would generate a pre-signed AWS S3 Uri. In that pre-signed Uri, there's an explicit expiry time.
Most other things, you would probably stand up an API to handle interacting with your AWS resources on behalf of a customer.
One instance I saw was someone that built some agent-endpoint software that streamed logs direct to AWS Kinesis. Their desktop application would periodically request AWS Keys from their API which were only valid for some short period of time, and scoped to writing to a specific Kinesis endpoint.